Adversaries may leverage Windows startup folders to establish persistence by deploying malicious scripts or executables, which can ensure malicious code runs upon user login. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence mechanisms used by advanced threats.
Detection Rule
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
- id: 2aa0a6b4-a865-495b-ab51-c28249537b75
type: similar
status: test
description: |
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
- https://github.com/last-byte/PersistenceSniper
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1204.002
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith:
# Add or remove suspicious extensions according to your env needs
- '.bat'
- '.cmd'
- '.dll'
- '.hta'
- '.jar'
- '.js'
- '.jse'
- '.msi'
- '.ps1'
- '.psd1'
- '.psm1'
- '.scr'
- '.url'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Rare legitimate usage of some of the extensions mentioned in the rule
level: high
imFileEvent
| where TargetFileName contains "\\Windows\\Start Menu\\Programs\\Startup\\" and (TargetFileName endswith ".bat" or TargetFileName endswith ".cmd" or TargetFileName endswith ".dll" or TargetFileName endswith ".hta" or TargetFileName endswith ".jar" or TargetFileName endswith ".js" or TargetFileName endswith ".jse" or TargetFileName endswith ".msi" or TargetFileName endswith ".ps1" or TargetFileName endswith ".psd1" or TargetFileName endswith ".psm1" or TargetFileName endswith ".scr" or TargetFileName endswith ".url" or TargetFileName endswith ".vba" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".wsf")Scenario: Legitimate Scheduled Task Creation
Description: A system administrator creates a scheduled task to run a legitimate script (e.g., backup_script.ps1) in the startup folder as part of routine maintenance.
Filter/Exclusion: Exclude files created by known administrative tools or tasks, such as those with Task Scheduler or schtasks.exe in their creation context. Example filter: process.parent_process != "schtasks.exe"
Scenario: User-Initiated Script Execution
Description: A user runs a legitimate PowerShell script (e.g., update_script.ps1) from the startup folder to automate system updates or configuration changes.
Filter/Exclusion: Exclude files created by user-initiated actions with a known benign origin, such as scripts associated with Microsoft Intune, Group Policy, or enterprise deployment tools. Example filter: file.name contains "update_script" and file.path contains "Microsoft"
Scenario: System Configuration Tool Placement
Description: A system management tool (e.g., Microsoft Endpoint Configuration Manager) places a configuration script (e.g., config_setup.bat) in the startup folder to ensure settings are applied on reboot.
Filter/Exclusion: Exclude files associated with known enterprise management tools. Example filter: file.name contains "config_setup" and file.path contains "Microsoft Endpoint"
Scenario: Temporary Script for Automation
Description: A developer temporarily places a script (e.g., deploy_tool.js) in the startup folder to automate a deployment process during a maintenance window.
Filter/Exclusion: Exclude files with a short lifespan or associated with known development tools. Example filter: file.name contains "deploy_tool" and file.last_modified > 7 days ago
Scenario: Legacy Application Compatibility
Description: An older application requires a compatibility script (e.g., `compat